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(57) Abstract 

A method and system (100) for monitoring 
or profiling quality of service witfiin a network of 
computers. The method includes a step of providing 
a network of computers, each being coupled to each 
other to form a local area network. The network 
of computers has a firewall server (110) coupled to 
the network of computers and a traffic management 
tool coupled to the firewall server. The method also 
includes implementing traffic monitoring or profiling 
of incoming and outgoing information. 
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TRAFFIC MONITORING TOOL FOR BANDWIDTH MANAGEMENT 



RELATED APPLICATIONS 
This present application claims priority to U.S. Serial No. 
(Attorney Docket No. 018430-000300) filed December 5. 1997. and U.S. Serial No. 
60/047,752 filed May 27, 1997, which are both hereby incorporated by reference for all 
purposes. 

BACKGROUND OF THE INVENTION 
The present invention relates to communication or telecommunication. 
More particularly, the present invention provides a technique, including a method and 
system, for monitoring and allocating bandwidth on a telecommunication network at, 
for example, a firewall access point. As merely an example, the present invention is 
implemented on a wide area network of computers or workstations such as the Internet. 
But it would be recognized that the present invention has a much broader range of 
applicability including local area networks, a combination of wide and local area 
networks, and the like. 

Telecommunication techniques have been around for numerous years. In 
the early days, people such as the American Indians communicated to each other over 
long distances using "smoke signals." Smoke signals were generally used to transfer 
visual information from one geographical location to be observed at another 
geographical location. Since smoke signals could only be seen over a limited range of 
geographical distances, they were soon replaced by a communication technique known 
as telegraph. Telegraph generally transferred information from one geographical 
location to another geographical location using electrical signals in the form of "dots" 
and "dashes" over transmission lines. An example of commonly used electrical signals is 
Morse code. Telegraph has been, for the most part, replaced by telephone. The 
telephone was invented by Alexander Graham Bell in the 1800s to transmit and send 
voice information using electrical analog signals over a telephone line, or more 
commonly a single twisted pair copper line. Most industrialized countries today rely 
heavily upon telephone to facilitate communication between businesses and people, in 
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upgraded to X2 modems, 56K modems, ADSL or DMT modems, ISDN service and 
modems, cable TV service and modems, and the like. Drawbacks to these solutions 
include that they typically require additional network service; they also require 
additional hardware and/or software, and further they require both the sender and 
receiver to both agree on using the same hardware and/or software. Although one 
user may have a much faster line or faster modem, another user may still rely on the 
same 1,200 kbaud modem. So, the speed at which information moves from one location 
to another location is often determined by the slowest information which is being 
transferred over the network. Accordingly, users of faster technology are basically 
going nowhere, or "running" nowhere fast, as is commonly stated in the network 
industry. 

From the above, it is seen that a technique for improving the use of a 
wide area network is highly desirable. 



SUMMARY OF THE INVENTION 
The present invention relates to a technique, including a method and 
system, for providing more quality to telecommunication services. More particularly, 
the present invention relates to quality of service management using a novel traffic 
monitoring technique. The present monitoring technique is predominantly software 
based, but is not limited to such software in some embodiments. 

In a specific embodiment, the present invention provides a system with a 
novel graphical user interface for monitoring a flow of information coupled to a 
network of computers. The user interface is provided on a display. The display has at 
least a first portion and a second portion, where the first portion displays a graphical 
chart representing the flow of information. The second portion displays text 
information describing aspects of the flow of information. The combination of the first 
portion and the second portion describe the information being profiled. 

In an alternative specific embodiment, the present invention provides a 
novel computer network system having a real-time bandwidth profiling tool. The real- 
time bandwidth profiling tool has a graphical user interface on a monitor. The 
graphical user interface includes at least a first portion and a second portion. The first 
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realized by reference to the remaining portions of the specification, drawings, and attached 
documents. 



BRIEF DESCRIPTION OF THE DRAWINGS 
Fig. 1 is a simplified diagram of a system according to an embodiment of 
the present invention; 

Fig. 2 is a simplified block diagram of system architecture according to an 
embodiment of the present invention; 

Fig. 3 is a simplified diagram of a traffic management cycle according to an 
embodiment of the present invention; 

Figs. 4-7 are simplified diagrams of systems according to various embodiments 
of the present invention; 

Fig. 8 is a simplified flow diagram of a rule-based control meUiod according to 
the present invention; and 

Figs. 9-15 are simplified representations of graphical user interfaces for 
monitoring traffic according to the present invention. •. 

DESCRIPTION OF SPECIFIC EMBODIMENTS 
An embodiment of the present provides integrated network service 
policies for firewall platforms, as well as other platforms or gateways. Specifically, the 
present invention provides network or firewall administrators with the ability to 
implement policy-based schema for security and resource management on firewall 
platforms. In a specific embodiment, resource management includes Network Quality 
of Service (QoS) or "bandwidth" management techniques. In an exemplary 
embodiment, the present invention provides tools for monitoring traffic for bandwidth 
management, as well as other functions. 

Network QoS occurs by managing the resources that serve network 
application traffic, for example. This typically includes the following resources: link 
bandwidth, application server bandwidth (CPU), and buffer space on generally all nodes 
(end-points, routers and gateways). Typically, data through-put is limited by the speed 
of Internet access links and by the server CPU capacity, and response time is 
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associated with the expectations and perceptions of end-users and the organization they are 
part of. 



3. Bandwidth: Bandwidth usually refers to maximum available bit rate 
for a specific application. In a specific embodiment, synchronous, interactive, and real-time 
applications, which are bandwidth-sensitive, can require minimum bandwidth guarantees, and 
can require sustained and burst-scale bit-rates. On the other hand, network administrators 
may want to limit bandwidth taken by non-productive traffic such as push technologies like 
PointCast and others. Even though bandwidth may be allocated for specified applications, it 
does not mean that these applications may be using that bandwidth. Therefore, a good policy 
should be to enforce when there is competition and demand. 

4. Latency: Latency generally refers to the delay experienced by a packet 
from the source to destination. Latency requirements are typically specified as mean-delay 
and worst case delay in some cases. Real-time audio/video applications such as, for example. 
DNS. HTTP, and TELNET are delay sensitive. Delay is a result of propagation delay, due 
to physical medium and queuing at intermediate nodes such as routers, gateways, or even 
servers. A certain portion of the delay can be controlled by how the queues are serviced at 
the intermediate nodes, and by controlling congestion at bottleneck points. Some examples of 
delay measures are packet round-trip delay and connection response time. 

5. Jitter: Jitter generally refers to variation in delay (e.g. , that is, the 
delay is not constant for all packets of a given flow) for a particular application. Real-time 
applications require a worst case jitter. Applications such as real-audio and video do some 
advanced buffering to overcome any variation in packet delays - the amount of buffering is 
determined by the expected jitter. 



or 



6. Packet Loss: Packet loss is a loss in a packet or a portion of packets 
that is generally caused by failure of network elements (e.g., routers, servers) to forward 
deliver packets. Packet loss is usually an indication of severe congestion, overload of an 
element, or element failure (e.g.. if a server is down). Even if the packet was not dropped 
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Fig. 1 illustrates a simplified system 100 according to an embodiment of 
the present invention. The system 100 is merely an illustration and should not limit the 
scope of the claims herein. One of ordinary skUl in the art would recognize other variations, 
modifications, and alternatives. The present invention can be embodied as a TrafficWare™ 
firewall server 1 10 from Ukiah Software, Inc. but can be others. System 100 typically 
includes a file server 120, and a plurality of computers 130-150, coupled to a local area 
network (LAN) 160, and other elements. Firewall server 110 includes a typical connection to 
a wide area network (WAN) 170 and to a remote LAN 180 (such as an Intranet) and a typical 
network connection 190 to the Internet 200. Attached to Internet 200 are Web servers 210 
and other computers 220. 

As illustrated, computers such as computer 130, 140, and 210 communicate 
using any one or multiple application layer protocols such as Telnet, file transfer protocol 
(FTP), Hypertext transmission protocol (HTTP), and the like. Further, communication 
across WAN 170 and across network connection 190 implements transport layer protocols 
such as transmission control protocol (TCP), universal data protocol (UDP). and the like. 
LAN 160 and LAN 180 are preferably based upon network protocols such as Internet 
protocol (IP), IPX from Novell, AppleTalk, and the like. As shown in Fig. 1, network 
connection 190 may be accomplished using Tl, ISDN, Dial-up, and other hardware 
connections. Computers 120-150 and 210-220 may be any suitable make or model of 
computer that can be coupled to a network. The system can also include a variety of other 
elements such as bridges, routers, and the like. 

In an alternative specific embodiment, the present invention may be applied to 
a system with various links accessed in servicing a browser request at a remote web server. 
In this embodiment, a client could be dialing in via a 28.8kbit dial up modem to a local 
Internet service provider (ISP), where the ISP may be connected to the Internet by a Tl link. 
A web server may be on a 10 Mbs Ethernet LAN, which is connected to another ISP via a 
56 K frame relay. The web server's ISP may be connected to its carrier via a T3 line. The 
client ISP carrier and the server ISP carrier may both be connected by an ATM backbone or 
the like. Because of this asymmetry in this embodimem, any traffic management solution 
should take into account these variations including traffic speed and data format described 
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3. ■ Bursty versus non-bursty. 
These categories are merely illustrative and should not limit the scope of the claims herein. 
Additionally, some application requirements are dependent on the context of use and the 
nature of data being accessed. Such applications can be described as being nominally 
interactive or nominally bandwidth intense. This means the description applies to many but 
not all the situations in which they are used. 

As merely an example, Table 2 provides some illustrations for these 

categories. 



Application Class 


Examples 


Low-bandwidth, delay 
sensitive, highly interactive 


DNS. PING, TELNET, CHAT. 
COLLABORATION 


High bandwidth, delay sensitive 


Real-time audio and video 


High Bandwidth, nominally interactive 


Web service requests, file downloads 


Non-interactive 


Mail and news 



Table 2: Application Spectrum 

As shown in Table 2. low-bandwidth, delay sensitive, and highly interactive applications 
include, among others, DNS. PING, JELNET, CHAT. COLLABORATION. High 
bandwidth and delay sensitive applications including at least real-time audio and video. 
Additional applications for high bandwidth and nominally interactive, or non-interactive have 
also been shown. Again, these applications are merely provided for illustration and should 
not limit the scope of the claims herein. 

The present invention can also be used with a number of various files. For 
example, a number of common applications, such as FTP and HTTP, can handle a wide 
variety of files. The file types being transferred and downloaded place different demands on 
the underiying infrastructure. Index and HTML files take up limited bandwidth but have very 
mundane contents. On the other hand, GIF. JPEG and MPEG, RA and AVI files take up a 
lot more bandwidth but provide a rich multimedia experience to the end-user. In fact, push 
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described in tenns of a specific type of information, other types of information on a network 
can also be used with the present invention. Additionally, the present invention has been 
described in general to a specific system. For instance, the present bandwidth management 
tool can be applied at a network's Internet access link. Alternatively, the present tool can be 
applied to a private WAN link to a remote corporate site or an access to a server farm (e.g., a 
group of servers located in a special part of the network close to an access link, e.g.. in a web 
hosting environment). Alternatively, the present invention can be applied to key servers 
(e.g., database/web server) within an organization servicing internal and/or external users. 
Furthermore, the present bandwidth management tool can be applied to any combination of 
the above or the like. 

Fig. 2 is a simplified block diagram 200 of details of system architecmre 
according to an embodiment of the present invention. The block diagram is merely an 
illustration and should not limit the scope of the claims herein. The architecmre includes a 
variety of layers that each interface to each other as depicted by the layers. The system 
includes a network layer 211, which interfaces to incoming and outgoing information to the 
network. The network can be one of a variety including, among others, Ethernet and Token 
Ring. A physical layer 209 is disposed above the network layer 211. The physical layer can 
be personal computers, which are commonly called PCs, or network interface computers, 
which are commonly called NCs. or alternatively workstations. As merely an example, a 
personal computer can be an IBM PC compatible computer having a 'SSe-class based 
microprocessor, such a PentiumTM from Intel Corporation, but is not limited to such a 
computer or processor. An operating system ("OS") is used on the computer such as 
WindowsNT™ from Microsoft Corporation, but can also be other OSs. The system is also 
coupled to a graphical user interface ("GUD 201 and is coupled to directory services such 
as, for example. LDAP, but can be others. A detailed discussion of directory services is 

described in U.S. Application Serial Nos. , (Attorney Docket Nos. 18430-1- 

1, 18430-1-2. 18430-2-3) which are commonly assigned, and hereby incorporated by 
reference for all purposes. 

Directory services 224 and GUI 201 couple to an application programming 
interface ("API") 223. The API is coupled to a traffic management or bandwidth 
management tool 208 with at least three modules, including a policy engine module 231, a 
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scope of the claims herein. As shown. Fig. 3 is a simplified diagram 300 of a traffic 
management cycle according to an embodiment of the present invention. The traffic 
management cycle is depicted as a continuous cycle, which includes a monitoring phase 301, 
a creating/applying policy phase 303, and a reporting/alarming phase 305, but is not limited 
to these cycles. That is. these cycles can be separated or combined depending upon the 
application. By way of this cycle, the tool can adapt to any changes to the networking system 
according to the present invention. 

In an aspect of the present invention, the present tool can monitor and control 
activities at various times, e.g., seconds, days, weeks, months, years. Some details with 
regard to these control activities are shown below under the headings. 

1. Second to second 

The tool provides second to second time scale monitoring and control of 
incoming and outgoing traffic over the network. As merely an example, the tool ensures that 
critical or more inqwrtant traffic gets a right of way during traffic bursts and provides 
bandwidth enforcement. Multiple users of the network at a specific time can cause the traffic 
burst. Alternatively, multiple sessions on the network at a specific time can cause the traffic 
burst. Once the traffic burst is detected, the tool has a control device, which provides 
bandwidth enforcement to ensure that the more important traffic gets through the network. 

2. Day to day , 

The tool provides day to day time scale monitoring and control of incoming 
and outgoing traffic over the network. As merely an example, the tool manages time of day 
congestion, and responds to intermittent problems or perceived problems. The tool generally 
deals with problems or limitations that are very specific and isolated to particular users or 
particular services at particular times that need to be tracked down quickly. 

3. Week to week 

The tool provides week to week time scale monitoring and control of incoming 
and outgoing traffic over the network. The tool analyzes traffic usage performance patterns, 
what services or hosts are active on the network, and troubleshoots chronic problems. In 
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customers and the present tool sits by the Internet link and manages inbound and outbound 
traffic. 



2. Web Hosting Deployment 

Fig. 5 is a simplified diagram 500 of the present tool in a web hosting 
environment according to the present invention. The diagram 500 includes a variety of 
elements such as a LAN BackBone 501. which is coupled to network elements including web 
servers 503, 511. 513, and others. The present tool 505 is coupled between LAN 501 and 
router 507, which is comiected to the Internet 509. In the present embodimem, the tool is 
being used to manage inbound and outbound traffic between some Websites and the Internet. 
In a specific embodiment, most of the data being transmitted is multimedia-based, but is not 
limited as such data. 



3. End-User Deployment 

Fig. 6 is a simplified diagram 600 of the present tool in a campus enviromnent 
according to the present invention. The diagram 600 includes a variety of features such as a 
campus network 601 , which is coupled to network elements such as a desktop PC 603, a 
UNIX computer 617, an NT Server 615. a web server 613, directory services 611. and 
others. A bandwidth management tool 605 is coupled between campus network 601 and 
router 607. which is coupled to Internet 609. In this embodiment, a LAN or WAN supports a 
number of different setups and configiirations. which are compete for bandwidth to access the 
Internet. The presem tool acts as an arbitrator for implementing rules, enforcing policies, 
and setting admissions for classes, as well as perform other acts. 

4. Private WAN 

Fig. 7 is a simplified diagram 700 of the present tool deployed for a large 
corporation that has an Intranet as well as an Internet. The diagram 700 includes a variety of 
elements or "children" such as a comiection to Frankfurt 715. a comiection to London 713. a 
comiection to Hong Kong 717. and a comiection to Paris 719. Each comiection or child 
includes a router 705A. E. D, C, and the presem tool 703A, E. D, C. which is coupled 
between the router and the hub ("HQ"). In a WAN-based enviromnent, for example, HQ 701 
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application, presentation, session, transport, and network. The FAST module also provides 
for measurement 219 of various parameters. The FAST module is coupled to the API. 

2. FAIR Module (Flow Analysis and IntelUgent Regulation) 

The FAIR module generally implements traffic control and manages bandwidth 
of incoming and outgoing information to and from the network or link. Flow Analysis and 
Intelligent Regulation ("FAIR") implements traffic control based on a combination of flow 
control and queuing algorithms. FAIR'S objective provides inbound and outbound traffic 
management for meaningful time intervals, reducing the load on packet classifiers and packet 
schedulers. The FAIR module controls 205 incoming and outgoing information to and from 
the network. Additionally, the FAIR module controls 205 by parameters 215 such as class, 
session, burst, packet, and others. The FAIR module also controls time 217 of allocating 
bandwidth for these parameters. The FAIR module is coupled to the API. 

3. Policy Engine Module 

The policy engine module 231 oversees the FAST and FAIR modules. The 
engine module also interfaces with the API. In an embodiment, the policy engine module 
includes a security policy 201, a traffic policy 202, and other policies 221. The security 
policy provides parameters for securing the present tool. The traffic policy defines specific 
limitations or parameters for the traffic. 

Some defmitions about the various modules have been described above. These 
defmitions are not intended to be limiting. One of ordinary skill in the art would recognize 
other variations, modifications, and alternatives. Additionally, the modules described are 
generally provided in terms of computer software. Computer software can be used to 
program and implement these modules, as well as others. The modules can be combined or 
even separated, depending upon the applications. Functionality of the modules can also be 
combined with hardware or the like. In a specific embodiment, the present modules are 
implemented on an WindowsNT^" operating system, which has been developed by Microsoft 
Corporation. Of course, other operating systems can also be used. Accordingly, the present 
modules are not intended to be limiting in any manner. 

In an embodiment, the present tool can be configured based upon at least the 
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Setting priorities - establishing a priority order for bandwidth limiting or 
servicing traffic from a class. (That is. high priority classes are serviced first 
and are affected the least during contention for bandwidth. Lower priority 
classes are serviced in order of priority and may be more affected by 
congestion or contention); 

Admission control- establishing conditions under which a new network session 
or service request is admitted or not admitted. (This kind of policy establishes 
a broad bandwidth control or service quality for sessions already admitted). 

As shown, the present invention provides policies such as bandwidth guarantees, bandwidth 
limits, setting priorities, admission control, and others. It may assist the reader in 
understanding some of the terms used in the policies by drawing an analogy with a 
geographical highway for automobiles. For example, bandwidth relates to how fast one can 
go (e.g. , fast or slow lane) once a user has entered the stream of traffic on the highway. That 
is, the physical limit for speed in the specific lane chosen. Priority is analogous to how 
quickly the user is able to enter the highway and move into a designated lane, and how often 
the user may have to temporarily give way to other vehicles during the drive. Admission 
control is analogous to the metered lights at the entrance of the freeway where one is made to 
wait under certain conditions. Of course, depending upon the applications other analogies 
can be used to explain the policies. Additionally, the policies are merely examples and 
should not limit the scope of the claims herein. 

3. Traffic Rules 

A rule generally includes a traffic class and a policy associated with the class. 
A class can have several policies that apply at different time intervals. 'Rule' is also used to 
refer to the policy or to a specific row in the present tool user interface. The present tool 

user interface is described in, for example, U.S. Application No. (Attorney 

Docket No. 18430-000300, commonly assigned, which is hereby incorporated by reference 
for all purposes.) 
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Additionally, monitoring of selected entities (e.g., users, 
services) may also be useful. 

In a further embodiment, the present tool provides some general guidelines of 
some commonly used applications. These guidelines should be used in conjunction with 
business driven priorities, traffic profiling, and selective real-time monitoring to establish an 
effective traffic policy. Selected guidelmes are defined as follows, but are not limited to 
these. 

• Delay-sensitive low bandwidth applications, such as TELNET 
and DNS. are controlled best by setting a high priority policy. 
The present tool can give the highest priority to all network 
control traffic, such as QoS signaling, session establishment, 
domain lookup and routing protocols. 

• Streaming multimedia applications, such as Real Audio/ Video 
and Vxtreme, can hog allot of bandwidth but are also delay and 
bandwidth sensitive. If they are not critical, they are controlled 
best by setting a high priority and a policy to limit admission of 
sessions so that bandwidth use is capped but admitted sessions 
have a reasonable quality. 

• Push technologies, such as PointCast and Marimba, download 
large files, are not delay or bandwidth sensitive and usually not 
business critical. They are best controlled by a limiting 
bandwidth policy and a low priority. 

• Bulk-data non-interactive applications, such as SMTP and 
NNTP, should be guaranteed a small bandwidth minimum so 
that they are not totally squeezed out by congestion or control 
policies. 

23 
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These terms include, among others, "rules" and "classes" and "policies." 
Rules can be created for very specific groups of ttows or more general groups of flows, 
which are commonly all the smff that transmits to and from a link to a gateway point. 
Groups of flows are also referred to as traffic classes, but are not limited to such classes. 
Classes also can be defined by source, destination, application, file types, URLs, and other 
features. Policies can be specified to control traffic flows in terms of overall bandwidth 
guarantees, bandwidth limits, priority of service, how individual sessions within a class are 
serviced or admitted, and other aspects. The presem tool also has intelligent policy validation 
that prevents users from defining any contradictory or ambiguous rules. Policy validation is 
generally a higher level check used by way of the present method. 

The present method occurs at start, which is step 801. for example. In 
general, a flow of information or data or packets of information enter a gateway point, where 
the present tool sits. The presem method classifies (step 803) the flow of information. 
Groups of flows can be referred to as traffic classes, but are not limited to such classes. 
Classes also can be defined by source, destination, application, file types, URLs, and other 
feamres. Other examples of classes were previously noted, but are not limited to these 
classes. In general, step 803 classifies the flow of information received into one of a plurality 
of predetermined classes. 

The present tool measures parameters for each of the classes in step 805, which 
were received, for example. These parameters are based upon the policy or rule, which may 
be applied in a later step. As merely an example, parameters include the class itself, file 
sizes, and other information, which can be used by the policy or rule to apply the policy or 
rule to improve the quality of service for the network. After measuring the parameters, the 
present method applies a time stamp (step 807) on the parameters to correlate the class of 
information received to a time, for example. 

A step of determining whether to apply a policy occurs in the next step 809. 
For example, if the class and the time (and the link state in some embodiments) meet 
predetermined settings, the policy is applied to the class in step 811 through branch 810. 
Alternatively, if one of the elements including the class, the time, or the link state do not meet 
the predetermined settings, the policy does not apply and the process continues to measure 
parameters through branch 808. Alternatively, the process continues to measure parameters 
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engine. 

• Click the Save As 909 button to save the respective data to a log file. The data 
is saved as tab-separated text. 

Each of the present user interfaces also includes function keys 901 and a tool bar 903. Upon 
selecting the profiles tab, a profiles light or display indication illuminates 911. As shown, the 
main profiles tab also includes tabs for services 913, server 915, and client 917, Additional 
features of the various tabs including the services tab, the server tab, and the client tab are 
described below and refer to Figs. 9, 10, and 1 1, respectively, but are not limited to these 
descriptions. 

1. Services Tab 

Fig. 9 is a simplified diagram 900 of a representation of a graphical user 
interface for a services tab according to the present invention. In particular, the dialog box 
displays cumulative traffic statistics for selected applications. The services tab, which can be 
selected by default, provides the following information: 

Service Name 

This field 919 shows what services (e.g., All Services, FTP. HTTP, SMTP, 
P0P3, SSL) the network.uses. Sununary statistics for all services (e.g., 
inbound or outbound) are also shown. Traffic ft-om services that are not 
recognized by the present tool are indicated as 'Others'. 

Direction 

This field 919 indicates whether the service is inbound or outbound. 

Note: Inbound and Outbound refer to the direction of data flow, not the 
request. 

Kb Transferred 
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server. 



Time 

This field (not shown) indicates the last time the service was active. 
2. Server Tab 

Fig. 10 is a simplified diagram 1000 of a representation of a graphical user 
interface for a server tab according to the present invention. Upon selecting or clicking the 
server tab 915. screen 1000 appears. The dialog box displays cumulative traffic statistics for 
every active server. The server tab provides the following information, but is not limited to 
such information: 



Server 

This field 1001 shows the server host name, URL or IP address. Summary 
statistics for all servers are also shown. 



Note: 

• In one aspect of the invention, the present tool can profile up to 256 
servers. Subsequent traffic from new servers are indicated as 'Others* 

• Host names can also be displayed in some embodiments. 
Kb Transferred 

This field 1003 shows the amount of data transferred from the server. As 
shown, the amount of data can be in kilobits transferred. Additionally, the 
amount of data can be referred to as a percentage of all services. 

Round Trip Time 

This field 1005 indicates an average round trip delay for packets sent to the 
server. The round trip time is in milliseconds, but is not limited to this time. 
The minimum and maximum round trip time is also shown in parenthesis. 
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3. Client Tab 

Fig. 1 1 is a simplified diagram 1 100 of a representation of a graphical user 
interface for a client tab according to the present invention. When the client tab 917 is 
selected or is clicked using a user interfece. screen 1 100 appears. The dialog box displays the 
cumulative traffic statistics for the clients. The client tab provides the following information, 
but is not limited to such information: 

Client 

This field 1 101 shows die client host name or IP address. Summary statistics 
for all clients are also shown. 



Note: The present tool can profile up to 256 clients in some embodiments. 
Subsequent traffic fi-om the clients are indicated as "Others'. 

Kb Transferred 

This field 1103 shows the amount of data transferred to the client. As shown, 
the amount of data can be in kilobits transferred. Additionally, the amount of 
data can be referred to as a percentage of all services. 



Round Trip Time ^ 

This field 1105 indicates an average round trip delay for packets from this 
client. The round trip time is in milliseconds, but is not limited to this time. 
The minimum and maximum round trip time is also shown in parenthesis. 

Connect Response Time 

This field 1105 indicates the average time to establish a session from the client. 
The connect response time is in milliseconds, but is not limited to this time. 
The minimum and maximum connect response time is also shown in 
parenthesis. 
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'Administrative Tools' Program group and select counters for monitoring incoming and 
outgoing traffic from a link. 

Fig. 12 is a simplified graphical user interface 1200 to launch a performance 
monitoring tool according to the present invention. This interface is merely an illustration 
and should not limit the scope of die claims herein. A method for launching the present tool 
occurs, in part, by selecting or clicking on the performance monitor tab 1201. The display 
shows available traffic classes 1201 (e.g.. FTP. HTTP, PointCast), which have been defined 
in the traffic policy. Note that a traffic class is not a rule. There may be more than one rule 
that belongs to the same traffic class. Traffic classes are created when rules are edited. A 
traffic class is defined by at least a source, destination, and service properties. The display 
includes a group of option buttons 1207 titled monitor, which allows a user to specify 
whether the user wants to monitor bandwidth consumption 1209, comiect time 121 1. or 
comiect retries 1213 for the selected classes. A prompt box 1215 above the option buttons 
1207 provides a brief explanation of the selected option. A Uunch button 1205 launches the 
performance monitor too. To launch the present performance monitor tool: 

1 . Select one or more traffic classes 1203 in the list. 



2. 



Choose monitor by clicking on an appropriate option bunon (e.g.. 
bandwidth consumption, response time, failures) 1207 in the monitor 
group. 



3. Push launch button 1205. 



As merely an example. Fig. 13 is a simplified graphical user display 1300 for 
bandwidth consumption according to the present invention. As shown, the Fig. is an example 
of Class Bandwidth 1305 monitoring for a few services 1307 such as FTP, HTTP, etc. over a 
56 Kbit Internet link. The vertical axis 1302 illustrates a bandwidth scale from "O" to "56.0" 
kbits and the horizontal axis represents time 1306. The plurality of line plots 1304 each 
represem one of the services 1307, which are each color coded 1301 for easy reading by the 
user. The display also includes an object 1309 and a computer 1311. which is being used to 
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the computer to be monitored 1507, the object 1509, the counter 151 1, and the instance 1514. 
Depending on the types of parameters being monitored or profiled, specific visual details of 
the plots or charts are also selected. These details include the plot color 1513. the plot width 
1519, the plot style 1517, and others. A counter definition 1515 is also made or selected. 
Once ail the changes have been made or selected, the user can add the changes to be 
monitored by the tool by pressing or selecting the add button 1501 . Alternatively, the user 
may start over by selecting the cancel button 1503. If the user would like an explanation on 
any one of the features described in the tool, the user may selected either the explain button 
1505 or the help button 1506. Of course, this user interface is merely an example and should 
not be limiting any manner outside the spirit and scope of the claims. 

In yet an alternative aspect, the present monitoring or profiling tool has a save 
feature for storing the chart or plot. In particular, the present tool can save snapshots of 
measurements to a disk file or the like. As merely an example, the present tool saves 
snapshots using the following sequence of steps, which should not be construed as limiting: 

Go to view/log in the tool to configure a log file; 

Add measurements to the file and start and/or stop logging. 

Furthermore, the present tool provides congestion, utilization, and 
performance degradation reports, which make day to day troubleshooting much simpler and 
serve to justify or validate policy setting decisions. For example, a chronic problem affecting 
a service through a day period (i.e., 24 hour) can be monitored by a combination of real-time 
monitoring, which will be described in more detail below, and congestion reports. By 
monitoring and using the reports, it may be determined that the affected service is not getting 
its due share of bandwidth, or a limitation exists with the server or in the Internet backbone. 

Conclusion 

In the foregoing specification, the invention has been described with reference to 
specific exemplary embodiments thereof. Many changes or modifications are readily 
envisioned. For example, the present invention can be applied to manage a variety of 
TCP/IP network traffic types for the Internet and Intranet. Further, the techniques 
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1. A graphical user interface for momtoring a flow of information coupled 
to a network of computers, said graphical user interface comprising: 

a display comprising at least a first portion and a second portion, said 
first portion comprising a graphical chart representing said flow of information, said second 
ponion comprising text information describing said flow of information. 



2. The interface of claim 1 wherein said graphical chart compnses 
bandwidth consumption. 



3. The interface of claim 2 wherein said bandwidth consumption is a plot 
of bandwidth consumed against time. 

4 The mterface of claim 2 wherein said bandwidth consumption is a 
plurality of plots, each of said plots representing consumed bandwidth against time. 

5. The interface of claim 2 wherein said flow of information comprises one 
of a plurality of traffic classes. 



6. The interface of claim 1 wherein graphical chan compnses a plot of 
failure rates against time. 



7. The interface of claim 1 wherein said graphical chart comprises a plot 
of delay rates against time. 



8. The imerface of claim 1 wherein said display is outputted on a 
computer monitor. 
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2 selected from a graph, a histogram, a bar chan, and a pie chan. 

1 1 8. A networlc management method, said method comprising steps of: 

2 measuring a data rate for a flow of information from an incoming source 

3 coupled to a network of computers; 

4 categorizing said data rate from said flow of information based upon at least 

5 one of a plurality of traffic classes; 

6 outputting a visual representation of said data rate in graphical form on a 

7 display; and 

8 outputting a text representation of said one of said plurality of traffic classes or 

9 said display. 

1 1 9. The method of claim 1 8 wherein said data rate is a baud rate. 

1 20. The method of claim 1 8 wherein said visual represemation is a real time 

2 histogram of said data rate. 

1 21. The method of claim 18 wherein said text representation comprises text 

2 for said one of said plurality of traffic classes. 

1 22. A computer system comprising a bandwidth profiling tool, said 

2 bandwidth profiling tool being stored in computer memory, said computer memory 

3 comprising: 

4 a first code that is directed to measuring a data rate for a flow of information 

5 from an incoming source coupled to a network of computers; 

6 a second code that is directed to categorizing said data rate from said flow of 

7 information based upon at least one of a plurality of traffic classes; 

8 a third code that is directed to outputting a visual representation of said data 

9 rate in graphical form on a display; and 

* that is directed to outputting a text represemation of said one of 

1 1 said plurality of traffic classes on said display. 
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